- Apr 28, 2015
- 9,039
Description
Kaspersky Lab has fixed a number of vulnerabilities found by Mr. Tavis Ormandy:
Full source: List of Advisories
Kaspersky Lab has fixed a number of vulnerabilities found by Mr. Tavis Ormandy:
- Specific scenarios existed when unprivileged user might read file with a private key created by product for managing SSL connection. This could be used by attacker/malware with access to a host in order to obtain this file to perform targeted attacks on SSL connections initiated by browser application on the host.
- If user navigated to a web site with invalid SSL certificate and decided to trust it by selecting Continue on the product's warning in order to access the site, product added the certificate to trusted root incorrectly. That might be used by attacker to skip invalid certificate warning if user access sites that were listed in Subject Alternative Names of the original invalid SSL certificate.
- SSL certificate caching error existed that might be used by attacker with a control of network in order to perform targeted attack on a host to intercept SSL connections initiated by browser application specifically by using IP address instead of a domain name.
Full source: List of Advisories